[#46514] - [6.1] Add proof-of-work captcha
- Fixed in Code Base
- 5 Dec 2025
- Medium
- Build: 6.1-dev
- # 46514
- Diff
- SniperSister:6.1-powcaptcha
User tests: Successful: Unsuccessful:
Summary of Changes
This PR adds a new captcha to Joomla core. It's based on the concept of "proof of work": it presents a math task to the user's browser that the browser can solve automatically. It's not supposed to proof humanship of the user, but to proof that the user is willing to invest the necessary time to solve the task.
That makes it an excellent fit for Joomla's usecase:
- it does not rely on an external service, does not need an API key and does not have any privacy implications
- it's based on an opensource library
- it does not try to proof humanship - a fight that we can't win anyways
- it's accessible
It's currently based on the altcha library, see https://altcha.org - please note the emphasize on "currently", as the rather generic naming of the plugin would allow core to switch to a different library in the future. A different implementation for altcha was already available as a 3rd party extension (see https://github.com/akeeba/plg_captcha_altcha/).
Testing Instructions
- Apply the patch
- Install the composer and npm dependencies
- Discover, install and enable the plugin
- Configure a contact form
- Set the captcha as default captcha in the global configuration
- Submit the form
Remarks and next steps
Altcha recommends to increase the difficulty of the captcha for repetitive submissions. This would require the implementation of a generic ratelimiting framework in the core and is on the agenda.
Sponsor
This PR is funded by GLS Parcel Services Germany, https://www.gls-pakete.de
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | SQL Administration com_admin Postgresql Language & Strings Repository External Library Composer Change Installation NPM Change Front End Plugins |
| Labels |
Added:
Language Change
Composer Dependency Changed
NPM Resource Changed
PR-6.1-dev
|
||
I dont see why this should be in core and not an extension
I dont see why this should be in core and not an extension
it has already been approved by production department and is on the feature roadmap https://developer.joomla.org/strategy.html#roadmap
| Labels |
Added:
Feature
|
||
| Title |
|
||||||
Side Note: will add a replay attack prevention, therefore it’s set to draft
Side Note: will add a replay attack prevention, therefore it’s set to draft
Done!
Please follow the style guide https://manual.joomla.org/docs/user-interface-text/words2watch/ so CAPTCHA is always capitalised.
And try to avoid "click" on and use "select" or something similar as you can't "click" on a touch device.
Done!
Please add this plugin to the array of core extensions in libraries\src\Extension\ExtensionHelper.php in a new group for captcha plugins
| Category | SQL Administration com_admin Postgresql Language & Strings Repository External Library Composer Change Installation NPM Change Front End Plugins | ⇒ | SQL Administration com_admin Postgresql Language & Strings Repository External Library Composer Change Installation Libraries NPM Change Front End Plugins |
| Title |
|
||||||
Please add this plugin to the array of core extensions in libraries\src\Extension\ExtensionHelper.php in a new group for captcha plugins
Done!
Please update the code to use new Captcha API:
https://manual.joomla.org/docs/building-extensions/plugins/plugin-examples/captcha-plugin/
Done
Where are the values for the difficulty are coming from?
On my PC rough estimate numbers are
- easy needs about 100ms
- moderate needs about 150ms
- hard needs about about 300ms
Not sure what a good value is but this values sounds a bit low if we try to slow down bots.
with a custom value of 250.000 it took about 400ms
Wouldn't it make sense to simply add a factor of 10 for each difficulty?
with a custom value of 2.500.000 it took about 4.8s
Where are the values for the difficulty are coming from?
Those are well above the default value that altcha currently suggests. Don't forget: your PC is not the average machine ;)
my phone needs 11 seconds for 2.5m so that doesn't sound too high^^
of course 11 seconds or 4 seconds is long but hard should be at 1 second?
but can live with that
I have tested this item ✅ successfully on 3a30fa8
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46514.
I have tested this item ✅ successfully on 3a30fa8
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46514.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-12-05 08:58:35 |
| Closed_By | ⇒ | tecpromotion |
please alphasort the language strings